Cryptanalysis of the Original McEliece Cryptosystem Anne Canteaut and Nicolas Sendrier INRIA - projet CODES BP 105 78153 Le Chesnay, France Abstract. The class of public-key cryptosystems based on error-correc- ting codes is one of the few alternatives to the common algorithms based on number theory. We here present an attack against these systems which actually consists of a new probabilistic algorithm for finding minimum- weight words in any large linear code. This new attack notably points out that McEliece cipher with its original parameters does not provide a sufficient security level. 1 Introduction Since the concept of public-key cryptography appeared in 1977, searching for secure public-key cryptosystems and identification schemes has been one of the most active areas in the field of cryptology. Many public-key ciphers emerged just after the invention of RSA and their underlying problems were as varied as computing a discrete logarithm, solving a knapsack problem, inverting some polynomial equations over a finite field.... Butthedevelopment of some crypt- analysis methods have finally made most of them insecure. Twenty years after the fundamental paper of Diffie and Hellman, public-key cryptography has the- refore become dangerously dependent on only two problems: integer factoring and discrete logarithm. However the class of public-key ciphers and identifica- tion schemes based on error-correcting codes still resists cryptanalysis. It relies on the hardness of decoding or equivalently of finding a minimum-weight co- deword in a large linear code with no visible structure. The most famous of these systems are McEliece and Niederreiter ciphers [McE78,Nie86] — which are equivalent from the security point of view — and the identification sche- mes proposed by Stern [Ste89] and V´eron [V´er95]. They are at the moment one of the few alternatives to the common public-key algorithms based on number theory. Studying their security seems therefore essential in order to anticipate a possible important progress in factoring methods for example. Moreover these public-key ciphers are particularly interesting since they run much faster than any algorithm relying on number theory. In this paper we present an attack on these cryptosystems which consists of a new probabilistic algorithm for finding minimum-weight codewords in any linear code. We first briefly present in Section 2 some public-key cryptosystems based K. Ohta and D. Pei (Eds.): ASIACRYPT’98, LNCS 1514, pp. 187–199, 2000. c Springer-Verlag Berlin Heidelberg 2000 188 A. Canteaut and N. Sendrier on error-correcting codes. Section 3 then describes a new algorithm for finding minimum-weight words in any linear code. Using Markov chain theory we show in Section 4 how to compute the number of elementary operations it requires. In Section 5 we finally use these results to evaluate the security of these public- key cryptosystems. We notably prove that the parameters which were originally proposed by McEliece for his cryptosystem make it insecure. 2 Some Cryptosystems Based on Error-Correcting Codes The class of public-key cryptosystems based on the hardness of decoding or of finding a minimum-weight word in a large code contains both McEliece and Niederreiter ciphers and some zero-knowledge identification schemes like the one proposed by Stern. 2.1 McEliece and Niederreiter Public-Key Ciphers McEliece cryptosystem uses as a secret key a linear binary code chosen in a family Γ of [n, k]-linear codes with error-correcting capability t for which an efficient decoding algorithm is known. In his original paper [McE78], McEliece proposed to choose this secret code amongst the irreducible binary Goppa codes of length 1024, dimension 524 and minimum distance 101. – private key: it is composed of an [n, k]-linear binary code C chosen in the family Γ , a random k × k binary invertible matrix S and a random n × n permutation matrix P . – public key: it consists of the k × n matrix G0 defined by G0 = SGP where G is a generator matrix of the secret code C. – encryption: the ciphertext corresponding to the k-bit message m is x = mG0 + e, where e is a random n-bit error-vector of weight t. – decryption: the decryption procedure consists in computing xP −1 =mSG+ eP −1 and using a fast decoding algorithm for C to recover mS. The message is then given by m =(mS)S−1. By definition the public key is therefore a generator matrix for an other linear code C0 which is equivalent to C. A ciphertext in McEliece cryptosystem then corresponds to a word of the public code C0 with t corrupted positions. Niederreiter proposed a dual version of this system [Nie86] where the public- key is a parity-check matrix H0 ofacodeC0 equivalent to the secret code. A plaintext m is here an n-bit vector of weight t and the associated ciphertext x corresponds to the syndrome of m relatively to the public code, x = mH0t. McEliece and Niederreiter cryptosystems are actually equivalent from the se- curity point of view when set up for corresponding choices of parameters [LDW94]. But for given parameters Niederreiter cipher presents many advantages. First of all it allows a public key in systematic form at no cost for security whereas this Cryptanalysis of the Original McEliece Cryptosystem 189 would reveal a part of the plaintext in McEliece system. The public key in Nie- derreiter system is then (n − k)/n times smaller than in McEliece version. The systematic form of the public matrix H0 and the low-weight of vector m signifi- cantly reduce the computational cost involved in the encryption in Niederreiter system. For [1024,524,101]-binary codes its transmission rate, i.e. the number of information symbols divided by the number of transmitted symbols, is smaller that in McEliece system. Another disadvantage of McEliece system is that it is easy to recover the plaintext if it has been encrypted twice with the same public-key. On the contrary Niederreiter cipher is deterministic since encrypting a given plaintext always leads to the same ciphertext. Table 1 sums up the characteristics of these systems when they both use [1024,524,101]-binary codes. It then shows that it is preferable to use the version proposed by Niederreiter. McEliece Niederreiter RSA [1024,524,101] [1024,524,101] 1024-bit modulus binary code binary code public exponent = 17 public-key size 67,072 bytes 32,750 bytes 256 bytes number of information bits transmitted per encryption 512 276 1024 transmission rate 51.17 % 56.81 % 100 % number of binary operations performed by the encryption 514 50 2,402 per information bit number of binary operations performed by the decryption 5,140 7,863 738,112 per information bit Table 1. Performance of McEliece, Niederreiter and RSA public-key ciphers We give for information the values corresponding to the RSA system with a 1024-bit modulus n = pq when the public exponent is 17 — we here suppose that RSA encryption and decryption uses Karatsuba’s method for large integer multiplication. These results point out that these public-key systems run much faster than RSA (about 50 times faster for encryption and 100 times faster for decryption). Their main disadvantages are the size of the public key and the lack of related signature scheme. Cryptanalysis Methods There are mainly two guidelines to cryptanalyze McEliece cryptosystem : – recover the original structure of the secret code from a generator (or parity- check) matrix of an equivalent code. – decode the public code which has no visible structure. 190 A. Canteaut and N. Sendrier The first class of attacks imposes some conditions on the family of secret codes Γ . For given length, dimension and minimal distance the family Γ must be large enough to avoid any enumeration. This aims at protecting the system from the attack which consists in enumerating all the elements of Γ until a code equivalent to the public code is found. This can be performed with an algorithm due to Sendrier [Sen96] which is able to determine from two generator matrices whether they correspond to equivalent codes and then to recover the permutation. A second condition is that a generator or parity-check matrix of a permutation equivalent code gives no information about the structure of the secret code, that means that the fast decoding algorithm requires some parameters of the secret code besides a generator matrix G0. This dismisses many families of codes like generalized Reed-Solomon codes [SS92] or concatenated codes [Sen94,Sen95]. But the family of irreducible Goppa codes is well-suited to such systems insofar as at present there exists no algorithm which is able to compute the characteristic parameters of a Goppa code from one of its permuted generator matrix. This class can even be extended to all [1024,524,101]-binary Goppa codes defined by a monic square-free polynomial of degree 50 in GF (1024)[X] which has no root in GF (1024). The cardinality of Γ is then 2498:5. In the case where the used family of codes satisfies the above properties, the equivalent code C0 defined by the public key presents no visible structure; recovering a plaintext from the corresponding ciphertext then comes down to decoding any linear code. 2.2 Stern’s Public-Key Identification Scheme Stern presented at Crypto’93 [Ste93] a public-key identification scheme which relies on the hardness of finding a low-weight codeword of given syndrome. This scheme uses an [n, k]-random linear code over GF (2). All users share a fixed parity-check matrix H for this code and an integer w slightly below the expected value for the minimal distance of a random linear code.